Facilities: Facilities are all resources used to house and support information systems.
People: People include staff skills; awareness; and productivity to plan, organize, acquire, deliver, support, and monitor information systems and services.
COBIT's defintion of Control: the policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Compared to the COSO definition of internal control, they both refer to the achievement of objectives: COSO states them explicitly, and COBIT refers them to the quality of information. In addition, the COBIT definition states that controls should address 'undesired events'.
The Effects of Information Technology (IT) on the emergence of Auditing Programs
Many corporations operate on a variety of computers platforms, and the auditor needs to be able to extract the data from them, bring it into a common format, analyze it, and transform it into useful information. Fortunately, there are similarities in how almost all types of computers stores financial information, whether it is IBM PC, Apple Macintosh minicomputer, or mainframe, all of which store data in three levels; files, records and fields. Levi (1997) argues that with the right software, the audits can be more comprehensive and less costly for the firm. Tools are available that can help the auditing team dealing with mountain of data on corporate computers. By using these programs effectively, auditors will be able to increase the scope of their audits substantially, while reducing the time and cost to perform these tasks. For example, an open item accounts receivable file contains thousands, if not ten thousands of open-item detail records, and when properly stored, grouped, presented, and summarized, these records form the aged accounts receivable listing. Examples of these auditing programs, whose names have now become very familiar include the following: Datawatch Corporation’s Monarch: is an auditing program that can help auditors by turning any computer printer file .PRN format into a table format, which makes it easy to spot errors and suspicious entries in the data. Monarch 3.0 also can read a file that has been printed out to a diskette, and gives the auditor three distinct views of the data. It can also detect a fraud by verifying the clerical accuracy and aging of a certain listing in less time than it might take the auditor to test-add one column. ACL for Windows: is an auditing software program that allows auditors to analyze, interrogate and report on data from virtually any computer platform. The recently released 4.0 version enhances the program’s already user-friendly and easy to-use interface. WinIDEA, (Interactive Data Extraction and Analysis for Windows) is another audit software package that has been developed by the Canadian Institute of Chartered Accountants (CICA), as a powerful and easy-to-use productivity tool, to help auditors display, analyze, manipulate or extract data from other computer systems, and helps easily the auditor to make inquiry of data files from a range of computer platforms sources and application program outputs.
Control Objectives for Information and related Technology (COBIT)
What is COBIT? A Brief History
The Control Objectives for Information and related Technology (COBIT), 1st edition was primarily issued in 1996, as a totally new educational tool for Information Systems (IS) auditors and control professionals. The COBIT was primarily sponsored and designed by the Information Systems Audit and Control Foundation (ISACF). The ISACF’s mission when it first issued COBIT was to research, develop, publicize, and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors
How does COBIT work? What does it do?
COBIT is designed to be used by three distinct audiences; auditors, management, and the end users. But how COBIT actually aids these three parties in performing their duties? First, COBIT aids IS auditors to substantiate their opinion and /or provide advice to management on internal controls, and by using COBIT as basis for determining the IT audit universe, as IT control reference, and as criteria for reviewing and examination, and for framing the IT-related audits, it could serve IS auditors’ high-level control objectives. Second, according to COBIT 2nd edition executive summary (1998), if the management of the organization needs generally applicable and accepted IT governance and control practices to benchmark their existing and planned IT environment, then COBIT is the tool that allows managers to communicate and bridge the gap with respect to control requirements, technical issues and business risks. COBIT enables the development of a clear policy and good practice for IT control through organizations, worldwide. It is COBIT’s goal to provide these control objectives, within the defined framework and obtain endorsement from commercial, government and professional organizations. Thus, COBIT is intended to be the breakthrough IT governance tool that helps in understanding and managing the risks associated with information and related IT. COBIT helps the management balancing the risk and control investment in an often unpredictable IT environment. Managers can use COBIT to guide their IT investment decisions and to obtain assurance that they are obtaining optimal results from their IT resources. Third, COBIT aids the end-users through the proper and accurate application of COBIT, as they can obtain assurance on the security and control of IT services provided by internal third parties, and with COBIT, users can obtain assurance that their business processes are well supported by their IT services. In addition to auditors, managers, and end-users, COBIT is also designed to empower business process owners so they have full responsibility of all aspects of business processes. Thus, the COBIT framework provides a tool for the business process owner that facilitates the discharge of his responsibility, and its simple and pragmatic premise is: “In order to provide the information that the organization needs to achieve its objectives, IT resources need to be managed by asset of naturally grouped processes”. (COBIT 2nd edition, April 1998) How COBIT can improve the audit?
COBIT enhances risk assessment and audit planning processes through the COBIT-based matrices, which could be used by the audit team during the pre-audit work to help identify areas for audit or Management Advisory Service work. It helps in identifying whether audit work related to IT process was included in the prior audit scope. If it was, then the form requires the auditor to identify the conclusions drawn from the prior audit work. Using COBIT to review control objectives
COBIT has been developed as a generally applicable and accepted standard for good practices of IT control. The authors, of COBIT, as a newly developed model for control, position the COBIT as a bridge between “business control models” like COSO (Committee of the Sponsoring Organization for the Treadway Commission (1994) and the more “focused control models for information technology like DIT (Department of Trade & Industry (1993). The COBIT model focuses on specific and detailed control objectives associated with the 32 IT processes that can be classified into 4 main domains: Planning and organization, acquisition and implementation, delivery and support and monitoring. Although, the value of the CPOBIT program is the assistance it provides in establishing a proper audit plan, as both, its framework and its illustrated implementation plan, provide detailed guidelines to enable practitioner auditors to review specific IT processes against specified control objectives.
Information Systems Function (ISF): pg. 261 - 264
Define, what is this?
An organization's information systems function (ISF) is the department or function that develops and operates an organization's information system. The function (department) is composed of people, procedures, and equipment, and it is typically called the information services department, IT department, or data processing department.
Types of Organizational structures for ISF:
Centralized-This type of structure places the information systems function under the line authority of the vice president of information systems (also known as the chief information officer or CIO). In practice, organizations have structured their information systems function in ways other than the centralized arrangement illustrated in Figure 8.2 on page 261.
Functional-assigns personnel to skills-based units (e.g., programming, systems analysis). Used by both decentralized and centralized organizations.
>
* Matrix-assembles work groups or teams, comprised of members from different functional areas, under the authority of a team leader.
>
Project-establishes permanent systems development structures such as "Financial Systems Development."
>
Summarize the key control concerns (similar to business exposures) for the various ISF functions (see if you can combine similar concerns by hierarchical layer in the organization chart).
COBIT Control Process Domains: pg. 265
Planning and Organization- the main purpose is to identify ways that IT can best contribute to the achievement of the organization's objectives.
Process #1 - Establish strategic vision for IT.
Develop a strategic plan and convert the plan into short-term goals. This sets a framework for the information technology to be used to the best advantage of the organization.
Elements of a strategic IT plan include:
A summary of goals and strategies related to the organizational strategic plan and how this relates to the information system function.
IT goals and strategies and how each supports the goals and strategies of the organization.
An information architecture model containing the corporate data model and the related information system. This is nesessary for any changes in business processes.
An inventory of current information systems capabilities, including hardware, software, personnel, application systems, utilization rates, strengths, and weaknesses.
Acquisition and develpoment schedules for hardware, software, and application systems and for personnel and financial requirements.
IT related requirements to comply with industry, regulatory, legal, and contractual obligations, including safety, privacy, transborder data flows, e-Business, and insurance contracts.
IT risks and risk action plan. This should include risk identification, measurment, actions, and formal acceptance and communication of residual risk.
Process for modifying the plan to accomodate changes to the organization's strategic plan and changes in information technology conditions.
Process#2 - Develop tactics to plan, communicate, and manage realization of the strategic vision.
Ensure Effectiveness - establish a direction and related policies addressing such aspects as positive control environment throughout the organization, code of conduct/ethics, quality, and security. Then, these policies must be communicated (internally and externally) to obtain commitment and compliance. IS management's direction and policies must be consistent with the control environment established by the organization's senior management.
Ensure Timeliness - management must establish a project management framework to ensure projects are completed on time, are within budget, and are undertaken in order of importance, and that a project management methodology is applied to each project undertaken.
Ensure Quality - management should establish a quality assurance (QA) plan and implement related activities, including reviews, audits, and inspections, to ensure the attainment of IT customer requirements.
In the Recording events part (which is the IS part) the duties are broken down even more
Data Librarian-gives access to info to the right people
Security Officer-gives out passwords and can monitor where people are going on there computers
IT steering Committee-sets up the plan for all of this .
>
*
Acquistion and Development
Process#3 - Identify automated solutions.
Several procedures are necessary within the systems development lifecycle to ensure selection of the best approach to meeting the user's IT requirements:
Define information requirements
Formulate alternative courses of action
Perform technological, economic, and operational feasibility studies
Assess risks
Make solutions consistent with the strategic information technology plan, the technology infrastructure, and the information architecture.
Upon completion of identifying automated solutions, an organization must decide what approach to take, and whether it will develop the IT solution in-house or contract with thrid parties.
Process#4 - Develop and acquire IT solutions.
Develop and acquire application software
Acquire technology infrastructure
Develop service level requirements and application documentation
Process#5 - Integrate IT solutions into operational processes.
To ensure that a new or signficantly revised system is suitable, the organization's SDLC should provide for a planned, tested, controlled, and approved conversion to the new system.
After installation, the SDLC should call for a review to determine that the new system has met users' needs in a cost-effective manner.
Process#6 - Manage changes to existing IT systems.
Program change controls - provide assurance that all modifications to programs are authorized, and ensure that the changes are completed, tested, and properly implemented.
Changes in documentation should mirror the changes made to the related programs.
Delivery and Support
Process#7 - Deliver required IT services.
Activities related to the delivery of the IT services that were planned by the IT processes in the planning and organization domain, and developed and implemented by the IT processes in the acquisition and implementation domain.
Process#8 - Ensure security and continuous service.
Ensure continous service - to ensure that sufficient IT resources continue to be available for use in the event of a service disruption, management should establish a process, coordinated with the overall business continuity strategy, which includes business continuity or contingency planning as well as disaster recovery planning for all IT resources and related business resources, both internal and external.
Restrict access to computing resources - to ensure that organizational information is not subjected to unauthorized use, disclosure, modification, damage, or loss, management should implement logical and physical access controls to ensure that access to computing resources (systems, data, programs) is restricted to authorized users for authorized uses by implementing two types of plans (1) control plans that restrict physical access to computer facilities (layers: perimeter controls, building controls, computer facility controls) and (2) control plans that restrict logical access to stored programs, data, and documentation (identification, authentication, access rights, threat monitoring).
>> >>>
Control plans for restricting physical access to computer facilities - only authorized personnel should be allowed access to the computer facility. One important type of control is biometric identification such as devices that read fingerprints.
Control plans for restricting logical access to stored programs, data, and documentation - entail a number of techniques aimed at controlling online and offline systems.
Ensure physical security - to protect the IT facilities against man-made and natural hazards, the organization must install and regularly review suitable environmental and physical controls. Refer to pg. 288, Table 8.4 for examples of such controls.
Mirror site - a website that maintains copies of the primary site's programs and data.
Server clustering - used to disperse the processing load among servers so that if one server fails, another can take over.
Electronic Vaulting (aka: shadowing or replication) - a process that automatically transmits eventrelated data or actual master data changes on a continuous basis to an off-site electronic vault.
Hot-site - fully equipped data center, often housed in bunker-like facilities, that can accomodate many business and that is made available to client companies for monthly subscriber fees.
Cold-site - less costly and less responsive than a hot-site. It is a facility usually comprising air-conditioned space with raised floor, telephone connections, and computer ports into which a subscriber can move equipment.
Process#9 - Provide support services.
To ensure that users make effective use of IT, management should identify the training needs of all personnel, internal and external, who make use of the organization's information services, and should see that timely training sessions are conducted, i.e. help desk function.
Monitoring
Process#10 - Monitor Operations.
To ensure the achievement of IT process objectives, management should establish a system for defining performance indictors, gathering data about all processes, and generating performance reports.
Summery:
>
> Four Broad IT Control Process Domains:
>
1) Planning and Organization:
a- Establish stratigic vision for IT.
b- Develop tactics to plan, communicate, and manage realization of strategic
vision.
2) Acquisition and implementation:
a- Identify automated solutions
b- Develop and acquire IT solutions.
c- Integerate IT solutions into operational processes.
d- Manage changes to existing IT systems.
3) Delivery and Support:
a- Delivery required IT services.
b- Ensure security and continous service.
c- Provide support services.
4) Monitoring:
a- Monitor operations.
>
>
----
Segregation of Duties:
Segregating Events Processing: consists of separating the four basic functions of event processing. They are as follows.
>
** Function 1: Authorizing events - approve phases of event processing
Exs. Approve cusomer credit, approve picking inventory and sending inventory to shipping department, approve shipping inventory to customer, approve recording accounting entries
Function 3: Recording events - record events in books of original entry, post event summaries to the general ledger
Exs.
Record Event Details - debit A/R subsidiary ledger, credit sales journal; debit cost of goods sold - inventory ledger, credit inventory - inventory ledger
Post Event GL Summaries - debit A/R, credit sales; debit cost of goods sold, credit inventory
Function 4: Safeguarding resources resulting from consummating events - physically protect resources, maintain accountability of physical resources
Exs.
Physically Protect Resources - safeguard inventory while in storage at warehouse, while in transit to shipping department, and while being prepared for shipment to customer.
Maintain Accountability - examine and count inventory periodically, and compare physical total to recorded totalThe concept underlying segregation of duties is simple enough: Through the design of an appropriate organizational structure, no single employee should be in a position both to perpetrate and conceal frauds, errors, or other kinds of system failures. pg 268.
Cash handling as the place where segregation of duties is most important, because cash is a highly liquid asset. Any department that accepts funds, has access to accounting records, or has control over any type of asset should be concerned with segregation of duties.
Some examples of incompatible duties are:
· Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction.
· Receiving checks (payment on account) and approving write-offs.
· Depositing cash and reconciling bank statements.
· Approving time cards and having custody of pay checks.
Separation of duties will only limit problems stemming from incompatible duties. It is possible, though not likely, that collusion will occur, making control procedures ineffective. Management needs to be aware of relationships (family and friends) and be alert to the possibility of collusion.
>
> Also, in a small operation, it is not always possible to have enough staff to properly segregate duties. In those cases, management may need to take a more active role to achieve separation of duties, by checking the work done by others. Sometimes, the knowledge that records will be checked by others is enough to prevent misappropriation of assets.
>
Segregating Information Systems Functions: consists of seperating systems development and operations in order to prevent programmers from operating the computer (reduces the possibility of unauthorized data input or unauthorized modification of stored data and programs).
Segregation of duties is important at all levels within any organization. The University of Utah has on their web site a page devoted to outlining the importance of this control within their organization. The page define the importance of ensuring that duties such as: authorization, custody, record keeping, and reconciliation are divided amongst four different people to ensure that there is no collusion.
University of Utah - INTERNAL AUDIT
||
|| Segregation of Duties
Segregation of duties is a basic, key internal control and one of the most difficult to achieve. It is used to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. Segregation of duties provides two benefits: 1) a deliberate fraud is more difficult because it requires collusion of two or more persons, and 2) it is much more likely that innocent errors will be found. At the most basic level, it means that no single individual should have control over two or more phases of a transaction or operation. Management should assign responsibilities to ensure a crosscheck of duties.
If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities they have generally been assigned or allowed access to incompatible duties or responsibilities . Some examples of incompatible duties are:
|| >
||
Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction.
||
||
*
||
Receiving checks (payment on account) and approving write-offs.
||
||
*
||
Depositing cash and reconciling bank statements.
||
||
*
||
Approving time cards and having custody of pay checks.
||
||
*
||
Having unlimited access to assets, accounting records and computer terminals and programs. For instance having access and using checks as the source documents to post to accounting records rather than using a check log or receipts.
||
There are four general categories of duties or responsibilities which are examined when segregation of duties are discussed: authorization, custody, Keeping|record keeping and reconciliation. In an ideal system, different employees would perform each of these four major functions. In other words, no one person should have control of two or more of these responsibilities. The more negotiable the asset, the greater the need for proper segregation of duties - especially when dealing with cash, negotiable checks and inventories.
In those instances where duties cannot be fully segregated, mitigating or compensating controls must be established. Mitigating or compensating controls are additional procedures designed to reduce the risk of errors or irregularities. For instance, if the record keeper also performs a reconciliation process a detailed review of the reconciliation could be performed and documented by a supervisor to provide additional control over the assignment of incompatible functions. Segregation of duties is more difficult to achieve in a centralized, computerized environment. Compensating controls in that arena include passwords, inquiry only access, logs, dual authorization requirements, and documented reviews of input/output.
Some special aspects of segregation of duties apply to IT functions themselves. There should be segregation between systems development and operations, operations and data control, and data base administration and system development.
----
Personnel control Plans: pg 271 - 274
Key Control Issues: IT personnel resources must be managed so as to maximize their contributions to the IT processes. Specific attention must be paid to recruitment, promotion, personnel qualifications, training, backup, performance evaluation, job change, and termination. An organization that does not have a critical mass of honest, competent employees will find it virtually impossible to implement other control plans.
>>
Selecting and Hiring Plans: Candidates applying for positions should be carefully screened, selected, and hired. the requirement for a technical background and the shortage of qualified applicants make the selection and hiring of systems personnel particularly important.
>>
Retention Plans: Retaining qualified personnel can be even more difficult than hiring them. Again, the problem is especially critical when dealing with systems personnel. Companies should make every effort to provide creative and challenging work opportunities and, when possible, to offer open channels to management-level positions.There are many reasons why workforce attrition has become a critical concern:
· The high cost of recruiting, hiring and training a new employee
· Corporate productivity is hurt by losing key players
· Losing talent to competitors can lessen competitive advantage.
· High turnover can affect the morale of the remaining workforce.
· New, inexperienced employees can cause customer dissatisfaction
>
** Personnel Development Plans: Training must be regular, not haphazard. Deficiences noted in an employee's background should be rectified through proper training or education. Training must be preeminent in an employee's work schedule. In general, performance reviews are performed for at least four reasons. First, a review determines whether an employee is satisfying the requirements of a position as indicated by a job description. Second, it assesses an employee's strengths and weaknesses. Third, it assists management in determining whether to make salary adjustments and whether to promote an employee. Finally, it identifies opportunities for training and for personal growth.
>>
Personnel Management Plans: Personnel planning control plans project future managerial and technical skills of the staff, anticipate turnover, and develop a strategy for filling necessary positions. Job description control plans lay out the responsibilities for each position on an organization chart and identify the resources to be used in performing those responsibilities. Supervision control plans involve the processes of approving, monitoring, and observing the work of others. Personnel security control plans prevent the organization's own personnel from committing acts of computer abuse, fraud or theft of assets.Termination control plans define a set of procedures a company follows when an employee voluntarily or involuntarily leaves the organization.
Controlling Information Systems: IT Processes:
In chapter 8 we look at Controls specifically designed for the Information Systems Function.COBIT (Control Objectives for Information and Related Technology)
(What is this?) - IT resources:COBIT's defintion of Control: the policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Compared to the COSO definition of internal control, they both refer to the achievement of objectives: COSO states them explicitly, and COBIT refers them to the quality of information. In addition, the COBIT definition states that controls should address 'undesired events'.
The Effects of Information Technology (IT) on the emergence of Auditing ProgramsMany corporations operate on a variety of computers platforms, and the auditor needs to be able to extract the data from them, bring it into a common format, analyze it, and transform it into useful information. Fortunately, there are similarities in how almost all types of computers stores financial information, whether it is IBM PC, Apple Macintosh minicomputer, or mainframe, all of which store data in three levels; files, records and fields. Levi (1997) argues that with the right software, the audits can be more comprehensive and less costly for the firm. Tools are available that can help the auditing team dealing with mountain of data on corporate computers. By using these programs effectively, auditors will be able to increase the scope of their audits substantially, while reducing the time and cost to perform these tasks. For example, an open item accounts receivable file contains thousands, if not ten thousands of open-item detail records, and when properly stored, grouped, presented, and summarized, these records form the aged accounts receivable listing. Examples of these auditing programs, whose names have now become very familiar include the following:
Datawatch Corporation’s Monarch: is an auditing program that can help auditors by turning any computer printer file .PRN format into a table format, which makes it easy to spot errors and suspicious entries in the data. Monarch 3.0 also can read a file that has been printed out to a diskette, and gives the auditor three distinct views of the data. It can also detect a fraud by verifying the clerical accuracy and aging of a certain listing in less time than it might take the auditor to test-add one column.
ACL for Windows: is an auditing software program that allows auditors to analyze, interrogate and report on data from virtually any computer platform. The recently released 4.0 version enhances the program’s already user-friendly and easy to-use interface.
WinIDEA, (Interactive Data Extraction and Analysis for Windows) is another audit software package that has been developed by the Canadian Institute of Chartered Accountants (CICA), as a powerful and easy-to-use productivity tool, to help auditors display, analyze, manipulate or extract data from other computer systems, and helps easily the auditor to make inquiry of data files from a range of computer platforms sources and application program outputs.
The role of auditing in IT and security.
Control Objectives for Information and related Technology (COBIT)
What is COBIT? A Brief History
The Control Objectives for Information and related Technology (COBIT), 1st edition was primarily issued in 1996, as a totally new educational tool for Information Systems (IS) auditors and control professionals. The COBIT was primarily sponsored and designed by the Information Systems Audit and Control Foundation (ISACF). The ISACF’s mission when it first issued COBIT was to research, develop, publicize, and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditorsHow does COBIT work? What does it do?
COBIT is designed to be used by three distinct audiences; auditors, management, and the end users. But how COBIT actually aids these three parties in performing their duties? First, COBIT aids IS auditors to substantiate their opinion and /or provide advice to management on internal controls, and by using COBIT as basis for determining the IT audit universe, as IT control reference, and as criteria for reviewing and examination, and for framing the IT-related audits, it could serve IS auditors’ high-level control objectives. Second, according to COBIT 2nd edition executive summary (1998), if the management of the organization needs generally applicable and accepted IT governance and control practices to benchmark their existing and planned IT environment, then COBIT is the tool that allows managers to communicate and bridge the gap with respect to control requirements, technical issues and business risks. COBIT enables the development of a clear policy and good practice for IT control through organizations, worldwide. It is COBIT’s goal to provide these control objectives, within the defined framework and obtain endorsement from commercial, government and professional organizations. Thus, COBIT is intended to be the breakthrough IT governance tool that helps in understanding and managing the risks associated with information and related IT. COBIT helps the management balancing the risk and control investment in an often unpredictable IT environment. Managers can use COBIT to guide their IT investment decisions and to obtain assurance that they are obtaining optimal results from their IT resources. Third, COBIT aids the end-users through the proper and accurate application of COBIT, as they can obtain assurance on the security and control of IT services provided by internal third parties, and with COBIT, users can obtain assurance that their business processes are well supported by their IT services. In addition to auditors, managers, and end-users, COBIT is also designed to empower business process owners so they have full responsibility of all aspects of business processes. Thus, the COBIT framework provides a tool for the business process owner that facilitates the discharge of his responsibility, and its simple and pragmatic premise is: “In order to provide the information that the organization needs to achieve its objectives, IT resources need to be managed by asset of naturally grouped processes”. (COBIT 2nd edition, April 1998)
How COBIT can improve the audit?
COBIT enhances risk assessment and audit planning processes through the COBIT-based matrices, which could be used by the audit team during the pre-audit work to help identify areas for audit or Management Advisory Service work. It helps in identifying whether audit work related to IT process was included in the prior audit scope. If it was, then the form requires the auditor to identify the conclusions drawn from the prior audit work.
Using COBIT to review control objectives
COBIT has been developed as a generally applicable and accepted standard for good practices of IT control. The authors, of COBIT, as a newly developed model for control, position the COBIT as a bridge between “business control models” like COSO (Committee of the Sponsoring Organization for the Treadway Commission (1994) and the more “focused control models for information technology like DIT (Department of Trade & Industry (1993). The COBIT model focuses on specific and detailed control objectives associated with the 32 IT processes that can be classified into 4 main domains: Planning and organization, acquisition and implementation, delivery and support and monitoring. Although, the value of the CPOBIT program is the assistance it provides in establishing a proper audit plan, as both, its framework and its illustrated implementation plan, provide detailed guidelines to enable practitioner auditors to review specific IT processes against specified control objectives.
Information Systems Function (ISF): pg. 261 - 264
Define, what is this?
An organization's information systems function (ISF) is the department or function that develops and operates an organization's information system. The function (department) is composed of people, procedures, and equipment, and it is typically called the information services department, IT department, or data processing department.
Types of Organizational structures for ISF:
- Centralized-This type of structure places the information systems function under the line authority of the vice president of information systems (also known as the chief information officer or CIO). In practice, organizations have structured their information systems function in ways other than the centralized arrangement illustrated in Figure 8.2 on page 261.
>* Decentralized-assigns personnel to non-central (e.g., departments) organizational units.
>
- Functional-assigns personnel to skills-based units (e.g., programming, systems analysis). Used by both decentralized and centralized organizations.
>* Matrix-assembles work groups or teams, comprised of members from different functional areas, under the authority of a team leader.
>
- Project-establishes permanent systems development structures such as "Financial Systems Development."
>Summarize the key control concerns (similar to business exposures) for the various ISF functions (see if you can combine similar concerns by hierarchical layer in the organization chart).
COBIT Control Process Domains: pg. 265
>
*
- Acquistion and Development
- Process#3 - Identify automated solutions.
- Several procedures are necessary within the systems development lifecycle to ensure selection of the best approach to meeting the user's IT requirements:
- Define information requirements
- Formulate alternative courses of action
- Perform technological, economic, and operational feasibility studies
- Assess risks
- Make solutions consistent with the strategic information technology plan, the technology infrastructure, and the information architecture.
- Upon completion of identifying automated solutions, an organization must decide what approach to take, and whether it will develop the IT solution in-house or contract with thrid parties.
- Process#4 - Develop and acquire IT solutions.
- Develop and acquire application software
- Acquire technology infrastructure
- Develop service level requirements and application documentation
- Process#5 - Integrate IT solutions into operational processes.
- To ensure that a new or signficantly revised system is suitable, the organization's SDLC should provide for a planned, tested, controlled, and approved conversion to the new system.
- After installation, the SDLC should call for a review to determine that the new system has met users' needs in a cost-effective manner.
- Process#6 - Manage changes to existing IT systems.
- Program change controls - provide assurance that all modifications to programs are authorized, and ensure that the changes are completed, tested, and properly implemented.
- Changes in documentation should mirror the changes made to the related programs.
- Delivery and Support
- Process#7 - Deliver required IT services.
- Activities related to the delivery of the IT services that were planned by the IT processes in the planning and organization domain, and developed and implemented by the IT processes in the acquisition and implementation domain.
- Process#8 - Ensure security and continuous service.
- Ensure continous service - to ensure that sufficient IT resources continue to be available for use in the event of a service disruption, management should establish a process, coordinated with the overall business continuity strategy, which includes business continuity or contingency planning as well as disaster recovery planning for all IT resources and related business resources, both internal and external.
- Restrict access to computing resources - to ensure that organizational information is not subjected to unauthorized use, disclosure, modification, damage, or loss, management should implement logical and physical access controls to ensure that access to computing resources (systems, data, programs) is restricted to authorized users for authorized uses by implementing two types of plans (1) control plans that restrict physical access to computer facilities (layers: perimeter controls, building controls, computer facility controls) and (2) control plans that restrict logical access to stored programs, data, and documentation (identification, authentication, access rights, threat monitoring).
- >> >>>
- Control plans for restricting physical access to computer facilities - only authorized personnel should be allowed access to the computer facility. One important type of control is biometric identification such as devices that read fingerprints.
- Control plans for restricting logical access to stored programs, data, and documentation - entail a number of techniques aimed at controlling online and offline systems.
- Ensure physical security - to protect the IT facilities against man-made and natural hazards, the organization must install and regularly review suitable environmental and physical controls. Refer to pg. 288, Table 8.4 for examples of such controls.
- Mirror site - a website that maintains copies of the primary site's programs and data.
- Server clustering - used to disperse the processing load among servers so that if one server fails, another can take over.
- Electronic Vaulting (aka: shadowing or replication) - a process that automatically transmits eventrelated data or actual master data changes on a continuous basis to an off-site electronic vault.
- Hot-site - fully equipped data center, often housed in bunker-like facilities, that can accomodate many business and that is made available to client companies for monthly subscriber fees.
- Cold-site - less costly and less responsive than a hot-site. It is a facility usually comprising air-conditioned space with raised floor, telephone connections, and computer ports into which a subscriber can move equipment.
- Process#9 - Provide support services.
- To ensure that users make effective use of IT, management should identify the training needs of all personnel, internal and external, who make use of the organization's information services, and should see that timely training sessions are conducted, i.e. help desk function.
- Monitoring
>- Process#10 - Monitor Operations.
- To ensure the achievement of IT process objectives, management should establish a system for defining performance indictors, gathering data about all processes, and generating performance reports.
Summery:> Four Broad IT Control Process Domains:
>
- 1) Planning and Organization:
- a- Establish stratigic vision for IT.
- b- Develop tactics to plan, communicate, and manage realization of strategic
- vision.
- 2) Acquisition and implementation:
- a- Identify automated solutions
- b- Develop and acquire IT solutions.
- c- Integerate IT solutions into operational processes.
- d- Manage changes to existing IT systems.
- 3) Delivery and Support:
- a- Delivery required IT services.
- b- Ensure security and continous service.
- c- Provide support services.
- 4) Monitoring:
- a- Monitor operations.
>>
Segregation of Duties:
- Segregating Events Processing: consists of separating the four basic functions of event processing. They are as follows.
>** Function 1: Authorizing events - approve phases of event processing
- Cash handling as the place where segregation of duties is most important, because cash is a highly liquid asset. Any department that accepts funds, has access to accounting records, or has control over any type of asset should be concerned with segregation of duties.
- Some examples of incompatible duties are:
- · Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction.
- · Receiving checks (payment on account) and approving write-offs.
- · Depositing cash and reconciling bank statements.
- · Approving time cards and having custody of pay checks.
- Separation of duties will only limit problems stemming from incompatible duties. It is possible, though not likely, that collusion will occur, making control procedures ineffective. Management needs to be aware of relationships (family and friends) and be alert to the possibility of collusion.
>> Also, in a small operation, it is not always possible to have enough staff to properly segregate duties. In those cases, management may need to take a more active role to achieve separation of duties, by checking the work done by others. Sometimes, the knowledge that records will be checked by others is enough to prevent misappropriation of assets.
>
- Segregating Information Systems Functions: consists of seperating systems development and operations in order to prevent programmers from operating the computer (reduces the possibility of unauthorized data input or unauthorized modification of stored data and programs).
>[[http://www.utah.edu/|]]
- [[http://www.utah.edu/|]]
Segregation of duties is important at all levels within any organization. The University of Utah has on their web site a page devoted to outlining the importance of this control within their organization. The page define the importance of ensuring that duties such as: authorization, custody, record keeping, and reconciliation are divided amongst four different people to ensure that there is no collusion.- University of Utah - INTERNAL AUDIT
||||
Segregation of Duties
Segregation of duties is a basic, key internal control and one of the most difficult to achieve. It is used to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. Segregation of duties provides two benefits: 1) a deliberate fraud is more difficult because it requires collusion of two or more persons, and 2) it is much more likely that innocent errors will be found. At the most basic level, it means that no single individual should have control over two or more phases of a transaction or operation. Management should assign responsibilities to ensure a crosscheck of duties.
If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities they have generally been assigned or allowed access to incompatible duties or responsibilities . Some examples of incompatible duties are:
||
>
||
Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction.
||
- ||
*||
Receiving checks (payment on account) and approving write-offs.
||
- ||
*||
Depositing cash and reconciling bank statements.
||
- ||
*||
Approving time cards and having custody of pay checks.
||
- ||
*||
Having unlimited access to assets, accounting records and computer terminals and programs. For instance having access and using checks as the source documents to post to accounting records rather than using a check log or receipts.
||
There are four general categories of duties or responsibilities which are examined when segregation of duties are discussed: authorization, custody, Keeping|record keeping and reconciliation. In an ideal system, different employees would perform each of these four major functions. In other words, no one person should have control of two or more of these responsibilities. The more negotiable the asset, the greater the need for proper segregation of duties - especially when dealing with cash, negotiable checks and inventories.
In those instances where duties cannot be fully segregated, mitigating or compensating controls must be established. Mitigating or compensating controls are additional procedures designed to reduce the risk of errors or irregularities. For instance, if the record keeper also performs a reconciliation process a detailed review of the reconciliation could be performed and documented by a supervisor to provide additional control over the assignment of incompatible functions. Segregation of duties is more difficult to achieve in a centralized, computerized environment. Compensating controls in that arena include passwords, inquiry only access, logs, dual authorization requirements, and documented reviews of input/output.
Some special aspects of segregation of duties apply to IT functions themselves. There should be segregation between systems development and operations, operations and data control, and data base administration and system development.
Personnel control Plans: pg 271 - 274
- >>
- Selecting and Hiring Plans: Candidates applying for positions should be carefully screened, selected, and hired. the requirement for a technical background and the shortage of qualified applicants make the selection and hiring of systems personnel particularly important.
- >>
- Retention Plans: Retaining qualified personnel can be even more difficult than hiring them. Again, the problem is especially critical when dealing with systems personnel. Companies should make every effort to provide creative and challenging work opportunities and, when possible, to offer open channels to management-level positions.There are many reasons why workforce attrition has become a critical concern:
- · The high cost of recruiting, hiring and training a new employee
- · Corporate productivity is hurt by losing key players
- · Losing talent to competitors can lessen competitive advantage.
- · High turnover can affect the morale of the remaining workforce.
- · New, inexperienced employees can cause customer dissatisfaction
>** Personnel Development Plans: Training must be regular, not haphazard. Deficiences noted in an employee's background should be rectified through proper training or education. Training must be preeminent in an employee's work schedule. In general, performance reviews are performed for at least four reasons. First, a review determines whether an employee is satisfying the requirements of a position as indicated by a job description. Second, it assesses an employee's strengths and weaknesses. Third, it assists management in determining whether to make salary adjustments and whether to promote an employee. Finally, it identifies opportunities for training and for personal growth.
- >>
- Personnel Management Plans: Personnel planning control plans project future managerial and technical skills of the staff, anticipate turnover, and develop a strategy for filling necessary positions. Job description control plans lay out the responsibilities for each position on an organization chart and identify the resources to be used in performing those responsibilities. Supervision control plans involve the processes of approving, monitoring, and observing the work of others. Personnel security control plans prevent the organization's own personnel from committing acts of computer abuse, fraud or theft of assets.Termination control plans define a set of procedures a company follows when an employee voluntarily or involuntarily leaves the organization.
>